Changing the OSGi web console admin password

User Name and Password, the credentials for accessing the Apache Felix Web Management Console itself.
The password must be changed after the initial installation to ensure the security of your instance.

To do this:

Navigate to the web console at <server>:<port>/system/console/configMgr.

Navigate to Apache Felix OSGi Management Console and change the user name and password.

Verification Steps

Configure replication and transport users

A standard installation of AEM specifies admin as the user for transport credentials within the default replication agents. Also, the admin user is used to source the replication on the author system.

For security considerations, both should be changed to reflect the particular use case at hand, with the following two aspects in mind:

The transport user should not be the admin user. Rather, set up a user on the publish system that has only access rights to the relevant portions of the publish system and use that user's credentials for the transport.

You can start from the bundled replication-receiver user and configure this user's access rights to match your situation

The replication user or Agent User Id should also not be the admin user, but a user who can only see content that is supposed to be replicated. The replication user is used to collect the content to be replicated on the author system before it is sent to the publisher.

Check the Operations Dashboard Security Health Checks

AEM 6 introduces the new Operations Dashboard, aimed at aiding system operators troubleshoot problems and monitor the health of an instance.

The dashboard also comes with a collection of security health checks. It is recommended you check the status of all the security health checks before going live with your production instance. For more information, consult the Operations Dashboard documentation.

Check if Example Content is Present

All example content and users (e.g. the Geometrixx project and its components) should be uninstalled and deleted completely on a productive system before making it publicly accessible.

Remarque :

The sample Geometrixx applications are removed if this instance is running in Production Ready Mode. If, for any reason, this is not the case, you can uninstall the cq-geometrixx-all-pkg package as described in Uninstalling Packages. You can then delete all geometrixx packages using the same user interface.

Check if the CRX development bundles are present

These development OSGi bundles should be uninstalled on both author and publish productive systems before making them accessible.

In the Allow Hosts field, enter all hosts that are allowed as a referrer. Each entry needs to be of the form
<protocol>://<server>:<port>
For example:

http://allowed.server:80 allows all requests from this server with the given port.

If you also want to allow https requests, you have to enter a second line.

If you allow all ports from that server you can use 0 as the port number.

Check the Allow Empty field, if you want to allow empty/missing referrer headers.

Attention :

It is recommended to provide a referrer while using commandline tools such as cURL instead of allowing an empty value as it might expose your system to CSRF attacks.

Edit the methods this filter should use for checks with the Filter Methods field.

Click Save to save your changes.

OSGI Settings

Some OSGI settings are set by default to allow easier debugging of the application. These need to be changed on your publish and author productive instances to avoid internal information leaking to the public.

Remarque :

All of the below settings with the exception of The Day CQ WCM Debug Filter are automatically covered by the Production Ready Mode. Because of this, we recommend reviewing all the settings before deploying your instance in a productive environment.

For each of the following services the specified settings need to be changed:

When working with AEM there are several methods of managing the configuration settings for such services; see Configuring OSGi for more details and the recommended practices.

Further Readings

Mitigate Denial of Service (DoS) Attacks

A denial of service (DoS) attack is an attempt to make a computer resource unavailable to its intended users. This is often done by overloading the resource; for example:

With a flood of requests from an external source.

With a request for more information than the system can successfully deliver.
For example, a JSON representation of the entire repository.

By requesting a content page with an unlimited number of URLs, The URL can include a handle, some selectors, an extension, and a suffix - any of which can be modified.
For example, .../en.html can also be requested as:

.../en.ExtensionDosAttack

.../en.SelectorDosAttack.html

.../en.html/SuffixDosAttack

All valid variations (e.g. return a 200 response and are configured to be cached) will be cached by the dispatcher, eventually leading to a full file system and no service for further requests.

There are many points of configuration for preventing such attacks, here we only discuss those directly related to AEM.

Configuring Sling to Prevent DoS

Sling is content-centric. This means that processing is focused on the content as each (HTTP) request is mapped onto content in the form of a JCR resource (a repository node):

The first target is the resource (JCR node) holding the content.

Secondly, the renderer, or script, is located from the resource properties in combination with certain parts of the request (e.g. selectors and/or the extension).

This approach makes Sling very powerful and very flexible, but as always it is the flexibility that needs to be carefully managed.

To help prevent DoS misuse you can:

Incorporate controls at the application level; due to the number of variations possible a default configuration is not feasible.

In your application you should:

Control the selectors in your application, so that you only serve the explicit selectors needed and return 404 for all others.

Prevent the output of an unlimited number of content nodes.

Check the configuration of the default renderers, which can be a problem area.

In particular the JSON renderer which can transverse the tree structure over multiple levels.
For example, the request:http://localhost:4502/.json
could dump the whole repository in a JSON representation. This would cause significant server problems. For this reason Sling sets a limit on the number of maximum results. To limit the depth of the JSON rendering you can set the value for:JSON Max results (json.maximumresults)
in the configuration for the Apache Sling GET Servlet. When this limit is exceeded the rendering will be collapsed. The default value for Sling within AEM is 200.

As a preventive measure disable the other default renderers (HTML, plain text, XML). Again by configuring the Apache Sling GET Servlet.

Attention :

Do not disable the JSON renderer, this is required for the normal operation of AEM.

Use a firewall to filter access to your instance.

The use of an operating system level firewall is necessary in order to filter access to points of your instance that might lead to denial of service attacks if left unprotected.

Disable WebDAV

WebDAV should be disabled on the publish environment. This can be done by stopping the appropriate OSGi bundles.

Verify That You Are Not Disclosing Personally Identifiable Information In the Users Home Path

It is important you protect your users by making sure that you do not expose any personally indetifiable information in the repository users home path.

With AEM 6.1, the way user (also known as authorizable) ID node names are stored is changed with a new implementation of the AuthorizableNodeName interface. The new interface will no longer expose the user ID in the node name, but will generate a random name instead.

No configuration needs to be performed in order to enable it, as this is the default way of generating authorizable IDs in AEM 6.1.

Although not recommended, you can disable it in case you need the old implementation for backwards compatibility with your exsiting applications. In order to do this, you need to delete theApache Jackrabbit Oak Random Authorizable Node Name OSGi configuration from the Web Console.